b'INFORMATION SECURITY PROGRAM\n   National Transportation Safety Board\n\n      Report Number: FI-2004-097\n    Date Issued: September 28, 2004\n\x0cU.S. Department of                                                Office of Inspector General\nTransportation                                                    Washington, D.C. 20590\nOffice of the Secretary\nof Transportation\n\n\n\nSeptember 28, 2004\n\nThe Honorable Ellen Engleman Conners\nChairman\nNational Transportation Safety Board\n490 L\xe2\x80\x99Enfant Plaza, SW\nWashington, DC 20594\n\nDear Chairman Engleman Conners:\n\nThis report presents the results of our audit of the information security program at\nthe National Transportation Safety Board (NTSB). The Federal Information\nSecurity Management Act (FISMA) of 2002 requires each agency to develop,\ndocument, and implement an agencywide information security program to protect\nthe information and information systems that support the operations and assets of\nthe agency. FISMA also requires 24 large Federal agencies to report annually to\nthe Congress on their information security programs. This year the Office of\nManagement and Budget (OMB) expanded FISMA reporting requirements to all\ndepartments and agencies that are subject to the Paperwork Reduction Act of\n1995, including NTSB.\n\nNTSB is responsible for investigating accidents in all transportation modes to\ndetermine the cause and recommend changes to improve safety and reduce the\nlikelihood and consequences of future accidents. NTSB plays a critical role in\nensuring a safe transportation system. To support its investigation operations\nnationwide, NTSB has implemented an information technology (IT) infrastructure,\nincluding communication networks, computer laboratories, and various software\napplication systems, to support NTSB\xe2\x80\x99s Headquarters, 10 regional offices, and the\nNTSB Academy. This IT infrastructure enables NTSB\xe2\x80\x99s investigators to gather\naccident evidence, analyze information from voice and data recorders, assist\nvictims\xe2\x80\x99 family members, and provide accident investigation results to the\nAmerican public. NTSB invests about $2 million to $3 million annually in IT\nsystem operations.\n\n\n\n\nReport No. FI-2004-097\n\x0c                                                                                 2\n\n\nResponding to requirements of FISMA, the Department of Transportation Office\nof Inspector General performed an audit of the NTSB\xe2\x80\x99s information security\nprogram. Our objectives were to (1) evaluate the effectiveness of NTSB\xe2\x80\x99s\ninformation security program, and (2) provide input to NTSB\xe2\x80\x99s annual FISMA\nreport by answering questions specified by OMB.\n\nSince this is the first year that NTSB has been asked to implement the FISMA\nrequirements, we focused our audit on the overall adequacy of the information\nsecurity program and network security. The audit was conducted in accordance\nwith Government Auditing Standards prescribed by the Comptroller General of\nthe United States. We plan to do a more detailed evaluation during fiscal year\n(FY) 2005. Our input to NTSB\xe2\x80\x99s annual FISMA report is in Enclosure 1. Our\nscope and methodology are described in Enclosure 2.\n\nResults in Brief\nNTSB has installed firewall security to protect its IT infrastructure against cyber\nattacks from the Internet and is using a swipe card system to control physical\naccess at the Headquarters. However, we found that NTSB\xe2\x80\x99s network computers\nare vulnerable to unauthorized access by insiders as a result of a lack of an\nagencywide information security program.\n\nFISMA requires each agency, through the Chief Information Officer (CIO), to\nimplement an agencywide information security program to protect the information\nand information systems that support the operations and assets of the agency. To\neffectively implement this program, agencies need to develop and implement\nsecurity plans and maintain a system inventory. As part of its responsibilities\nunder FISMA, OMB also requires agencies perform security certification review\non their information systems. However, we found that none of the following\nrequirements had been implemented at NTSB:\n\n      \xc3\x98   Designating an agency CIO, or equivalent, responsible for the\n          implementation of an agencywide information security program;\n\n      \xc3\x98   Establishing a system inventory of major information systems;\n\n      \xc3\x98   Developing security plans in accordance with the National Institute of\n          Standards and Technology guidance;\n\n      \xc3\x98   Requiring information systems be certified as adequately secured\n          commensurate with operational risks before accreditation for business\n          use; and\n\n\n\n\nReport No. FI-2004-097\n\x0c                                                                                                                  3\n\n\n           \xc3\x98    Documenting security weaknesses and corrective actions in the Plan of\n                Action and Milestones, as required by OMB.\n\nUsing commercial scanning software, we performed a vulnerability assessment on\nNTSB private networks and the firewall server. Our assessment showed that the\nfirewall is reasonably configured to prevent unauthorized access from the Internet.\nDue to time constraints, we did not perform a complete review of the firewall\nsecurity capabilities. We plan to perform a more detailed review of NTSB\xe2\x80\x99s\nfirewall security in FY 2005. However, we found NTSB systems and data are\nvulnerable to insiders\xe2\x80\x94we identified over 250 high-risk, 460 medium-risk, and\n4,500 low-risk vulnerabilities on NTSB network computers.1 All the high-risk\nvulnerabilities we identified were on the \xe2\x80\x9cTop Twenty Vulnerabilities List\xe2\x80\x9d jointly\ndeveloped by the SANS Institute and Department of Homeland Security. These\nvulnerabilities could allow insiders\xe2\x80\x94NTSB employees, contractors, and business\nassociates\xe2\x80\x94to gain unauthorized access to NTSB business information stored on\nthese computers.\n\nFor example, with these vulnerabilities, we were able to gain total (root-level)\ncontrol of 28 NTSB computers, including a computer in the Chairman\xe2\x80\x99s Office.\nWe could have changed computer configurations, installed virus software, or\ndeleted all files on the computers. In fact, we did obtain substantial sensitive\ninformation from these computers, such as:\n\n               \xc3\x98 NTSB payroll data that list the annual salaries and social security\n                 numbers of NTSB employees, including the Chairman and Board\n                 members;\n\n               \xc3\x98 Internal documents on preliminary investigation issues; and\n\n               \xc3\x98 Personal information including employee\xe2\x80\x99s birth dates, home\n                 addresses, and credit card numbers.\n\nOur network activities went undetected because NTSB has no intrusion detection\nand monitoring capabilities.\n\nThe lack of an agencywide information security program puts the integrity,\nconfidentiality, and availability of NTSB business operations at risk, as we\ndemonstrated. In our opinion, this constitutes a significant deficiency and should\nbe reported as a material internal control weakness to OMB and Congress under\nthe Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982.\n1\n    High-risk vulnerabilities may provide an attacker with immediate access into a computer system, such as allowing\n    execution of remote commands. Medium-risk and low-risk vulnerabilities may provide an attacker with useful\n    information, such as password files, they can then use to compromise a computer system.\n\n\nReport No. FI-2004-097\n\x0c                                                                                  4\n\n\nNTSB has demonstrated a strong commitment to strengthen its information\nsecurity practices. During the last quarter of FY 2004, NTSB began to develop a\nsystem inventory, started to provide security awareness training to employees, and\nprovided specialized training to 40 percent of its employees with significant IT\nsecurity responsibilities. Responding to a draft of this report, the NTSB Chairman\nagreed to take immediate actions to eliminate the high-risk and medium-risk\nvulnerabilities we identified. The NTSB Chairman also agreed to implement our\nrecommendations by appointing a CIO and implementing an effective information\nsecurity program in FY 2005. These corrective actions, when fully implemented,\nwill establish a solid foundation for an effective information security program that\nwill enhance the integrity, confidentiality, and availability of NTSB information\nsystem operations.\n\nFINDING AND RECOMMENDATIONS\n\nNTSB Needs To Implement an Agencywide Information Security\nProgram\nFISMA requires each agency, through the CIO, to implement an agencywide\ninformation security program to protect the information and information systems\nthat support the operations and assets of the agency. To effectively implement this\nprogram, agencies need to develop and implement security plans and maintain a\nsystem inventory. As part of its responsibilities under FISMA, OMB also requires\nagencies perform security certification review on their information systems.\nHowever, we found that none of these requirements had been implemented at\nNTSB.\n\nNTSB does not have an agency CIO. The Director of the Office of Research and\nEngineering has assumed limited CIO responsibilities for managing IT resource\nand providing information security to NTSB networks and computer systems.\nHowever, this official was not given clear authority and responsibility to develop\nand maintain an agencywide information security program, including effective\nimplementation of security policies, procedures, and control techniques. Further,\nNTSB did not:\n\n      \xc3\x98   Have an inventory of all the information systems used to support its\n          operational needs;\n\n      \xc3\x98   Develop security plans for protecting its information systems, which\n          should address rules of behavior for system use, training requirements\n          for security responsibilities, personnel controls, technical controls,\n\n\n\n\nReport No. FI-2004-097\n\x0c                                                                                                                   5\n\n\n              continuity of operations, incident response capabilities, and system\n              interconnections.2\n\n         \xc3\x98    Require information systems be certified as adequately secured\n              commensurate with operational risks before accreditation for business\n              use; and\n\n         \xc3\x98    Document security weaknesses and corrective actions in the Plan of\n              Action and Milestones, as required by OMB.\n\nIn response to our audit, NTSB has agreed to appoint a CIO and assign a priority\nto implementing an effective information security program in FY 2005.\nSpecifically, NTSB has initiated an inventory of the information systems used by\nvarious offices to support their business operations, agreed to develop a security\nplan for each system, establish a target date to have all information systems\nundergo security certification reviews, and document security weaknesses and\ncorrective actions as required by OMB.\n\nNTSB Needs To Strengthen Network Security To Prevent\nUnauthorized Access by Insiders\nIn addition to publishing the final accident investigation results on its public\nwebsites, NTSB uses its private network to support investigation work, such as\nanalyzing information from voice and data recorders, storing information\nconcerning victims\xe2\x80\x99 family members, and processing payroll and personnel\ninformation. This private network can be accessed by authorized users at NTSB\nHeadquarters and regional offices or from a remote location through telephone\nline (dial-up) connections.\n\nTo protect its private networks, NTSB has installed firewall security as the\nfirst-level defense against cyber attacks from the Internet and password security\nover remote access through telephone line connections. Using commercial\nscanning software, we performed a vulnerability assessment on NTSB private\nnetworks and the firewall server. Our assessment showed the firewall is\nreasonably configured to prevent unauthorized access from the Internet. However,\nwe found that NTSB networks are vulnerable to unauthorized access by\ninsiders\xe2\x80\x94NTSB employees, contractors, and business associates.\n\nSpecifically, we identified a total of 5,309 (256 high-risk, 461 medium-risk, and\n4,592 low-risk) vulnerabilities on 719 NTSB network computers. All the\nhigh-risk vulnerabilities we identified were on the \xe2\x80\x9cTop Twenty Vulnerabilities\n\n2\n  National Institute of Standards and Technology Special Publication 800-18, \xe2\x80\x9cGuide for Developing Security Plans for\nInformation Technology Systems,\xe2\x80\x9d December 1998.\n\n\n\n\nReport No. FI-2004-097\n\x0c                                                                                   6\n\n\nList\xe2\x80\x9d jointly identified by the SANS Institute and the Department of Homeland\nSecurity. A summary of the scanning result is shown in the table.\n\n\n                  Table. NTSB Network Scanning Results\n                          Vulnerabilities Found        Total         Computers\n           Location\n                         High   Medium       Low   Vulnerabilities    Scanned\n        HQ Networks      189      360      1809         2358            493\n        Field Networks    67      101      2783         2951            226\n         Total           256      461      4592         5309            719\n\n\n\nWhile scanning the NTSB networks, we gained total (root-level) control of\n28 computers, including a computer in the Chairman\xe2\x80\x99s office. With this level of\ncontrol, we could have changed computer configurations, installed virus software,\nor deleted all files on the computers.\n\nIn fact, we were able to copy substantial information from these computers, such\nas NTSB payroll data that list the annual salaries and social security numbers of all\nNTSB employees, including the Chairman and Board members; internal\ndocuments on preliminary investigation issues; and identifiable personal\ninformation, including employee\xe2\x80\x99s birth dates, home addresses, and credit card\nnumbers.\n\nNTSB management was not aware of the existence of these vulnerabilities because\nNTSB has not obtained the proper tools and trained personnel to periodically scan\nits networks for protection. Also, our network activities went undetected because\nNTSB has no intrusion detection and monitoring capabilities that can detect\nabnormal activities on its private networks.\n\nThese network vulnerabilities existed due to inadequate configuration controls and\npatch management. NTSB did not meet the Government security configuration\nrequirements for its computers. For example, among the 28 computers that we\ntook control over, 24 of them required no passwords for the system administrator\naccount, and the other 4 used passwords that could be easily guessed, such as\n\xe2\x80\x9cpassword.\xe2\x80\x9d We also found NTSB has not established a procedure to promptly\ninstall software patches as required by OMB. For example, we found 14 critical\nsoftware patches released by a manufacturer had not been installed on NTSB\ncomputers. Installing these patches could have easily eliminated 20 percent of the\nhigh-risk vulnerabilities we identified.\n\nNTSB is taking actions to fix the high-risk and medium-risk vulnerabilities and is\nreviewing the remaining ones. In addition to strengthening network configuration\n\n\nReport No. FI-2004-097\n\x0c                                                                                   7\n\n\ncontrols and patch management, NTSB also needs to establish vulnerability\nscanning and intrusion detection capabilities to protect its network computers\nagainst unauthorized access.\n\nAs we demonstrated, the lack of an agencywide information security program puts\nthe integrity, confidentiality, and availability of NTSB business operations at risk.\nIn our opinion, this constitutes a significant deficiency and should be reported as a\nmaterial internal control weakness on the annual Federal Managers\xe2\x80\x99 Financial\nIntegrity Act report to OMB and Congress.\n\nRECOMMENDATIONS\nA. We recommend that the NTSB Chairman:\n\n   1. Designate a Chief Information Officer to enhance the information security\n      management practice in NTSB.\n\n   2. Direct the Chief Information Officer to implement an agencywide\n      information security program by December 31, 2004, that includes:\n\n       a. Providing security awareness training to all employees and specialized\n          training to employees with significant IT security responsibilities,\n\n       b. Completing an information systems inventory,\n\n       c. Establishing a schedule to complete system security certification\n          reviews of all systems,\n\n       d. Providing guidelines to system owners for developing and\n          implementing security plans to address security requirements and\n          responsibilities for NTSB networks, facilities, and systems or groups of\n          information systems, and\n\n       e. Documenting security weaknesses identified and corrective actions\n          taken in accordance with OMB guidance.\n\n   3. Direct the Chief Information Officer to enhance NTSB network security by:\n\n       a. Correcting all high-risk and medium-risk vulnerabilities we identified\n          by December 31, 2004.\n\n       b. Ensuring network computers are properly configured in accordance with\n          Government standards and developing procedures to ensure timely\n          installation of software patches by March 31, 2005.\n\n\n\n\nReport No. FI-2004-097\n\x0c                                                                                 8\n\n\n      c. Obtaining proper tools and training personnel to periodically scan\n         networks for potential vulnerabilities and deploying an intrusion\n         detection capability to monitor network traffic for abnormal activities by\n         June 30, 2005.\n\n\nMANAGEMENT COMMENTS AND OFFICE OF INSPECTOR\nGENERAL ANALYSIS\nA draft of this report was provided to the NTSB Chairman for comments on\nSeptember 20, 2004. The Chairman responded on September 22, 2004, and\nconcurred with all recommendations (see Appendix). The actions planned by\nNTSB are reasonable and should provide a solid foundation to implement an\neffective computer security program. We will continue monitoring NTSB\xe2\x80\x99s\nprogress in implementing these recommendations.\n\nWe appreciate the courtesies and cooperation of National Transportation Safety\nBoard representatives during this audit. If you have any questions concerning this\nreport, please call me on (202) 366-1992 or Theodore P. Alves, Assistant\nInspector General for Financial and Information Technology Audits, at\n(202) 366-1496.\n\nSincerely,\n\n\n\n\nAlexis M. Stefani\nPrincipal Assistant Inspector General\n for Auditing and Evaluation\n\nEnclosures (3)\n\n\n\n\nReport No. FI-2004-097\n\x0c                                                                      Enclosur e 1\n                                                                                 9\n\n\nEnclosure 1. Office of Inspector General Input to FISMA Report\n\nFY 2004 marks the first time that NTSB needs to comply with FISMA, which\nrequires independent evaluation of agencies\xe2\x80\x99 information security programs.\nAccordingly, the Department of Transportation Office of Inspector General\nperformed a review of NTSB\xe2\x80\x99s information security program. NTSB\xe2\x80\x99s key\nmissions are investigating accidents in all transportation modes, determining the\ncauses, and making recommendations to improve safety. It has implemented an IT\ninfrastructure, including communication networks, computer laboratories, and\nvarious software application systems, to support operations at NTSB\nHeadquarters, 10 regional offices, and its Academy. NTSB invests about $2\nmillion to $3 million annually in IT system operations.\n\nUnlike the 24 large Federal agencies that first had to comply with FISMA, NTSB\ndoes not have a Chief Information Officer responsible for IT management and\nsecurity. We also found that NTSB has not implemented an agencywide\ninformation security program, including establishing a system inventory,\nconducting system security certification reviews in accordance with the National\nInstitute of Standards and Technology guidance, and developing security plans. In\nother words, when compared with large Federal agencies, NTSB is in an early\nstage of complying with FISMA requirements. Our answers to OMB questions\nreflect the fact that NTSB is in the early stage of implementing an IT security\nprogram.\n\nOur independent evaluation also identified vulnerabilities in NTSB\xe2\x80\x99s networks,\nwhich enabled us (acting as an insider) to gain unauthorized access to sensitive\ninformation such as employees\xe2\x80\x99 salaries, social security numbers, home addresses,\nand credit card numbers, as well as preliminary accident investigation results. In\nour opinion, NTSB\xe2\x80\x99s information security program constitutes a significant\ndeficiency and should be reported as a material internal control weakness to OMB\nand Congress under the Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982.\n\nNTSB has demonstrated a strong commitment to strengthening its information\nsecurity practices. During the last quarter of FY 2004, it made an effort to develop\na system inventory, started providing security awareness training to employees,\nand provided specialized training to 40 percent of its employees with significant\nIT security responsibilities. The NTSB Chairman also agreed to implement the\nrecommendations specified in our independent evaluation report. These corrective\nactions, when fully implemented, will enhance the integrity, confidentiality, and\navailability of NTSB information system operations. We plan to conduct a\ndetailed review of NTSB\xe2\x80\x99s implementation efforts and will include the results in\nnext year\xe2\x80\x99s FISMA report.\n\nReport No. FI-2004-097\n\x0c                                                                                                       Enclosure 1\n                                                                                                               10\n\n\n\n\n                                                      2004 FISMA Report\n                         Agency:                         National Transportation Safety Board\n\n\n                         Date Submitted:        09/28/2004\n\n                         Submitted By:          OIG\n\n                         Contact Information:\n                                    Name:       Rebecca Leng\n                                    E-mail:     Rebecca.C.leng@oig.dot.gov\n                                    Phone:      202-366-1488\n\n\n                                                To enter data in allowed fields, use password: fisma\n\n\n\n\nReport No. FI-2004-097\n\x0c                                                                                                                                                                                                      Enclosure 1\n                                                                                                                                                                                                                    11\nSection A: System Inventory and IT Security Performance\nNOTE: ALL of Section A should be completed by BOTH the Agency CIO and the OIG.\nTo enter data in allowed fields, use password: fisma\n\n\n    A.1. By bureau (or major agency operating component), identify the total number of programs and systems in the agency and the total number of contractor operations or facilities. The agency CIOs\n    and IG\'s shall each identify the total number that they reviewed as part of this evaluation in FY04. NIST 800-26, is to be used as guidance for these reviews.\n\n\n\n\n    A.2. For each part of this question, identify actual performance in FY04 for the total number of systems by bureau (or major agency operating component) in the format provided below.\n\n\n                                                                  A.1                                                                                     A.2\n\n                                         A.1.a.               A.1.b.               A.1.c.                A.2.a.                 A.2.b.                A.2.c.                   A.2.d.                A.2.e.\n\n                                    FY04 Programs         FY04 Systems        FY04 Contractor          Number of          Number of systems Number of systems Number of systems         Number of\n                                                                               Operations or        systems certified         with security   for which security with a contingency systems for which\n                                                                                 Facilities          and accredited           control costs   controls have been         plan       contingency plans\n                                                                                                                          integrated into the     tested and                         have been tested\n                                                                                                                            life cycle of the  evaluated in the\n                                                                                                                                 system            last year\n\n\n\n                                    Total  Number         Total     Number   Total      Number       Total   Percent of    Total    Percent of    Total     Percent of     Total   Percent of    Total Percent of\n           Bureau Name             Number Reviewed       Number    Reviewed Number     Reviewed     Number     Total      Number      Total      Number       Total       Number     Total      Number   Total\n   NTSB                                                                            1            1        0    #DIV/0!           0    #DIV/0!          0         #DIV/0!        0    #DIV/0!           0   #DIV/0!\n                                                                                                              #DIV/0!                #DIV/0!                    #DIV/0!             #DIV/0!               #DIV/0!\n                                                                                                              #DIV/0!                #DIV/0!                    #DIV/0!             #DIV/0!               #DIV/0!\n                                                                                                              #DIV/0!                #DIV/0!                    #DIV/0!             #DIV/0!               #DIV/0!\n                                                                                                              #DIV/0!                #DIV/0!                    #DIV/0!             #DIV/0!               #DIV/0!\n                                                                                                              #DIV/0!                #DIV/0!                    #DIV/0!             #DIV/0!               #DIV/0!\n                                                                                                              #DIV/0!                #DIV/0!                    #DIV/0!             #DIV/0!               #DIV/0!\n                                                                                                              #DIV/0!                #DIV/0!                    #DIV/0!             #DIV/0!               #DIV/0!\n                                                                                                              #DIV/0!                #DIV/0!                    #DIV/0!             #DIV/0!               #DIV/0!\n                                                                                                              #DIV/0!                #DIV/0!                    #DIV/0!             #DIV/0!               #DIV/0!\n                                                                                                              #DIV/0!                #DIV/0!                    #DIV/0!             #DIV/0!               #DIV/0!\n                                                                                                              #DIV/0!                #DIV/0!                    #DIV/0!             #DIV/0!               #DIV/0!\n                                                                                                              #DIV/0!                #DIV/0!                    #DIV/0!             #DIV/0!               #DIV/0!\n                                                                                                              #DIV/0!                #DIV/0!                    #DIV/0!             #DIV/0!               #DIV/0!\n                                                                                                              #DIV/0!                #DIV/0!                    #DIV/0!             #DIV/0!               #DIV/0!\n                                                                                                              #DIV/0!                #DIV/0!                    #DIV/0!             #DIV/0!               #DIV/0!\n                                                                                                              #DIV/0!                #DIV/0!                    #DIV/0!             #DIV/0!               #DIV/0!\n                                                                                                              #DIV/0!                #DIV/0!                    #DIV/0!             #DIV/0!               #DIV/0!\n                                                                                                              #DIV/0!                #DIV/0!                    #DIV/0!             #DIV/0!               #DIV/0!\n                                                                                                              #DIV/0!                #DIV/0!                    #DIV/0!             #DIV/0!               #DIV/0!\nAgency Total                              0          0         0          0        1            1        0    #DIV/0!           0    #DIV/0!          0         #DIV/0!        0    #DIV/0!           0   #DIV/0!\n\nComments: This is the first year that NTSB has been asked to implement the FISMA reporting requirement. NTSB is in the process of identifying its program and systems. NSTB\'s\nfinancial system is operated by the Department of Interior. An application control for this system has been reviewed by an independent audit firm. NTSB has agreed to finalize its\nsystem inventory and develop a timetable for conducting C&A reviews by December 31, 2004.\n\n\n\n\n       Report No. FI-2004-097\n\x0c                                                                                                                                                                                               Enclosure 1\n                                                                                                                                                                                                       12\n                                                                                                      A.3\n\n\n   A.3. Evaluate the degree to which the following statements reflect the status in your agency, by choosing from the responses provided in the drop down menu. If appropriate or necessary, include\n   comments in the Comment area provided below.\n\n\n                                                                 Statement                                                                                          Evaluation\n\n\n        a. Agency program officials and the agency CIO have used appropriate methods to ensure that contractor provided services or\n        services provided by another agency for their program and systems are adequately secure and meet the requirements of FISMA,                         Rarely, or 0-50% of the time\n        OMB policy and NIST guidelines, national security policy, and agency policy.\n\n\n\n        b. The reviews of programs, systems, and contractor operations or facilities, identified above, were conducted using the NIST self-\n                                                                                                                                                            Rarely, or 0-50% of the time\n        assessment guide, 800-26.\n\n\n\n        c. In instances where the NIST self-assessment guide was not used to conduct reviews, the alternative methodology used\n                                                                                                                                                            Rarely, or 0-50% of the time\n        addressed all elements of the NIST guide.\n\n\n\n        d. The agency maintains an inventory of major IT systems and this inventory is updated at least annually.                                           Rarely, or 0-50% of the time\n\n\n\n        e. The OIG was included in the development and verification of the agency\xe2\x80\x99s IT system inventory.                                                    Rarely, or 0-50% of the time\n\n\n\n        f. The OIG and the CIO agree on the total number of programs, systems, and contractor operations or facilities.                                     Rarely, or 0-50% of the time\n\n\n        g. The agency CIO reviews and concurs with the major IT investment decisions of bureaus (or major operating components) within\n                                                                                                                                                            Rarely, or 0-50% of the time\n        the agency.\n\n                                                                 Statement                                                                                           Yes or No\n\n\n        h. The agency has begun to assess systems for e-authentication risk.                                                                                             No\n\n\n        i. The agency has appointed a senior agency information security officer that reports directly to the CIO.                                                       No\n\n\n\nComments: To meet the FISMA requirements, NTSB has initiated an effort to inventory the information systems used by program offices, and agreed to finalize the system inventory by December\n31, 2004. In addition, the NTSB Chairman has designated an agency Chief Information Officer who is responsible for IT management and security.\n\n\n\n\n      Report No. FI-2004-097\n\x0c                                                                                                                                                                                    Enclosure 1\nSection B: Identification of Significant Deficiencies\nNOTE: ALL of Section B should be completed by BOTH the Agency CIO and the OIG.                                                                                                              13\nTo enter data in allowed fields, use password: fisma\n\n\n   B.1. By bureau, identify all FY 04 significant deficiencies in policies, procedures, or practices required to be reported under existing law. Describe each on a separate row,\n   and identify which are repeated from FY03. In addition, for each significant deficiency, indicate whether a POA&M has been developed. Insert rows as needed.\n\n\n                                                                                         B.1.\n                                                                                                   FY04 Significant Deficiencies\n                                                            Total Number                                                                                              POA&M\n                                               Total          Repeated                                                                                              developed?\n             Bureau Name                      Number         from FY03                       Identify and Describe Each Significant Deficiency                       Yes or No\nNTSB                                                    1              0   NTSB information security protgram                                                  No                   Yes\n\n\n\n\nAgency Total                                           1               0\n\n\nComments: The lack of an agencywide information security program constitutes a significant deficiency. We recommend that this be reported to OMB and\nCongress under FMFIA as a material internal control weakness.\n\n\n\n\n   Report No. FI-2004-097\n\x0c                                                                                                                                                              Enclosure 1\n                                                                                                                                                                      14\nSection C: OIG Assessment of the POA&M Process\nNOTE: Section C should *ONLY* be completed by the OIG. The CIO should leave this section blank.\nTo enter data in allowed fields, use password: fisma\n   C.1. Through this question, and in the format provided below, assess whether the agency has developed, implemented, and is managing an agency-wide plan\n   of action and milestone (POA&M) process. This question is for IGs only. Evaluate the degree to which the following statements reflect the status in your\n   agency by choosing from the responses provided in the drop down menu. If appropriate or necessary, include comments in the Comment area provided\n   below.\n\n                                                                                 C.1\n                                                Statement                                                                       Evaluation\n\n        a. Known IT security weaknesses, from all components, are incorporated into the POA&M.                Rarely, or 0-50% of the time\n\n        b. Program officials develop, implement, and manage POA&Ms for systems they own and\n                                                                                                              Rarely, or 0-50% of the time\n        operate (systems that support their program or programs) that have an IT security weakness.\n\n        c. Program officials report to the CIO on a regular basis (at least quarterly) on their remediation\n                                                                                                              Rarely, or 0-50% of the time\n        progress.\n\n        d. CIO develops, implements, and manages POA&Ms for every system they own and operate (a\n                                                                                                              Rarely, or 0-50% of the time\n        system that supports their program or programs) that has an IT security weakness.\n\n        e. CIO centrally tracks, maintains, and reviews POA&M activities on at least a quarterly basis.       Rarely, or 0-50% of the time\n\n        f. The POA&M is the authoritative agency and IG management tool to identify and monitor\n                                                                                                              Rarely, or 0-50% of the time\n        agency actions for correcting information and IT security weaknesses.\n        g. System-level POA&Ms are tied directly to the system budget request through the IT business\n                                                                                                              Rarely, or 0-50% of the time\n        case as required in OMB budget guidance (Circular A-11).\n\n        h. OIG has access to POA&Ms as requested.                                                             Rarely, or 0-50% of the time\n\n        i. OIG findings are incorporated into the POA&M process.                                              Rarely, or 0-50% of the time\n\n        j. POA&M process prioritizes IT security weaknesses to help ensure that significant IT security\n                                                                                                              Rarely, or 0-50% of the time\n        weaknesses are addressed in a timely manner and receive appropriate resources.\n\n\n\n\nComments: NTSB has not conducted any security reviews of its information systems, or used POA&M to track security weaknesses for corrections.\nNTSB has agreed to develop guidelines for security reviews and reporting POA&M by the end of December 31, 2004.\n\n\n\n\nReport No. FI-2004-097\n\x0c                                                                                                                                                 Enclosure 1\n\n                                                                                                                                                         15\n\n\nC.1 OIG Assessment of the Certification and Accreditation Process\nSection C should only be completed by the OIG. OMB is requesting IGs to assess the agency\xe2\x80\x99s certification and accreditation process in\norder to provide a qualitative assessment of this critical activity. This assessment should consider the quality of the Agency\xe2\x80\x99s certification\nand accreditation process. Any new certification and accreditation work initiated after completion of NIST Special Publication 800-37 should\nbe consistent with NIST Special Publication 800-37. This includes use of the FIPS 199, \xe2\x80\x9cStandards for Security Categorization of Federal\nInformation and Information Systems,\xe2\x80\x9d to determine an impact level, as well as associated NIST documents used as guidance for completing\nrisk assessments and security plans. Earlier NIST guidance is applicable to any certification and accreditation work completed or initiated\nbefore finalization of NIST Special Publication 800-37. Agencies were not expected to use NIST Special Publication 800-37 as guidance\nbefore it became final.\n\n\n                                    Statement                                                                Evaluation\n     Assess the overall quality of the Agency\'s certification and accreditation\n     process.\n\n     Comments: NTSB has not performed security certification reviews on any of its\n     information systems. NTSB has agreed to finalize its system inventory, and\n     establish a schedule to complete Certification and Authorization (C&A) reviews\n     on all systems in the system inventory by December 31, 2004.\n\n\n\n\nReport No. FI-2004-097\n\x0c                                                                                                                                                                      Enclosure 1\n\n                                                                                                                                                                              16\n\nSection D\nNOTE: ALL of Section D should be completed by BOTH the Agency CIO and the OIG.\nTo enter data in allowed fields, use password: fisma\n\n   D.1. First, answer D.1. If the answer is yes, then proceed. If no, then skip to Section E. For D.1.a-f, identify whether agencywide security configuration\n   requirements address each listed application or operating system (Yes, No, or Not Applicable), and then evaluate the degree to which these configurations are\n   implemented on applicable systems. For example: If your agency has a total of 200 systems, and 100 of those systems are running Windows 2000, the\n   universe for evaluation of degree would be 100 systems. If 61 of those 100 systems follow configuration requirement policies, and the configuration controls are\n   implemented, the answer would reflect "yes" and "51-70%". If appropriate or necessary, include comments in the Comment area provided below.\n\n\n\n\n   D.2. Answer Yes or No, and then evaluate the degree to which the configuration requirements address the patching of security vulnerabilities. If appropriate or\n   necessary, include comments in the Comment area provided below.\n\n                                                                           D.1. & D.2.                                         D.1.                D.2.\n\n\n                                                                                                                              Yes,\n                                                                                                                             No, or\n                                                                                                                              N/A              Evaluation\nD.1. Has the CIO implemented agencywide policies that require detailed specific security configurations and what is the\ndegree by which the configurations are implemented?                                                                            No\n                 a. Windows XP Professional\n\n                 b. Windows NT\n\n                 c. Windows 2000 Professional\n\n\n                 d. Windows 2000\n\n\n                 e. Windows 2000 Server\n\n\n                 f. Windows 2003 Server\n\n\n                 g. Solaris\n\n\n                 h. HP-UX\n\n\n                 i. Linux\n\n                 j. Cisco Router IOS\n\n                 k. Oracle\n\n                 l. Other. Specify: MS SQL\n                                                                                                                             Yes or\n                                                                                                                                               Evaluation\n                                                                                                                              No\n        D.2. Do the configuration requirements implemented above in D.1.a-f., address patching of security\n        vulnerabilities?\n\n\nComments: OIG review identified weak configuration controls and a lack of timely installation of software patches. NTSB has agreed to\ndevelop a procedure to implement Government security configuration standards on computer systems, and ensure timely patch\ninstallations by March 31, 2005.\n\n\n\n\n      Report No. FI-2004-097\n\x0c                                                                                                                                                                                  Enclosure 1\n\n                                                                                                                                                                                          17\n\nSection E: Incident Detection and Handling Procedures\nNOTE: ALL of Section E should be completed by BOTH the Agency CIO and the OIG.\nTo enter data in allowed fields, use password: fisma\n\n   E.1. Evaluate the degree to which the following statements reflect the status at your agency. If appropriate or necessary, include comments in the Comment area provided\n   below.\n\n                                                                                         E.1\n\n                                                          Statement                                                                                   Evaluation\n\n\n                 a. The agency follows documented policies and procedures for reporting incidents internally.                         Rarely, or 0-50% of the time\n\n                 b. The agency follows documented policies and procedures for external reporting to law enforcement\n                                                                                                                                      Rarely, or 0-50% of the time\n                 authorities.\n                 c. The agency follows defined procedures for reporting to the United States Computer Emergency Readiness\n                                                                                                                                      Rarely, or 0-50% of the time\n                 Team (US-CERT). http://www.us-cert.gov\n                                                                                        E.2.\n   E.2. Incident Detection Capabilities.\n                                                                                                                                          Number of      Percentage of\n                                                                                                                                           Systems       Total Systems\n                         a. How many systems underwent vulnerability scans and penetration tests in FY04?\n                         b. Specifically, what tools, techniques, technologies, etc., does the agency use to mitigate IT security risk?\n                                  Answer:\n                                     NTSB has installed firewall security as the first-level defense against cyber attacks from the Internet, and password security over remote\n                                     access through telephone line (dial-up) connections.\n\n\nComments:\n\n\nNTSB has not established vulnerability scanning and incident reporting capabilities. Using commercial scanning software, OIG identified over 250 high, 460\nmedium, and 4,500 low vulnerabilities on over 700 computers. NTSB is taking actions to fix the identified vulnerabilities, and has agreed to establish\nvulnerability scanning and intrusion detection & reporting capabilities by June 30, 2005.\n\n\n\n\n    Report No. FI-2004-097\n\x0c                                                                                                                                                                          Enclosure 1\n\n                                                                                                                                                                                  18\n\nSection F: Incident Reporting and Analysis\nNOTE: ALL of Section F should be completed by BOTH the Agency CIO and the OIG.\nTo enter data in allowed fields, use password: fisma\n   F.1. For each category of incident listed: identify the total number of successful incidents in FY04, the number of incidents reported to US-CERT, and the\n   number reported to law enforcement. If your agency considers another category of incident type to be high priority, include this information in category VII,\n   "Other". If appropriate or necessary, include comments in the Comment area provided below\n   F.2. Identify the number of systems affected by each category of incident in FY04. If appropriate or necessary, include comments in the Comment area\n   provided below.\n                                                                          F.1., F.2. & F.3.\n                                                                                   F.1.                                                  F.2.\n                                                                     Number of Incidents, by category:                Number of systems affected, by category, on:\n\n\n\n                                                                    F.1.a             F.1.b.         F.1.c.         F.2.a.          F.2.b.            F.2.c.\n                                                                 Reported         Reported to US- Reported to  Systems with Systems without        How many\n                                                                 internally           CERT            law     complete and up- complete and up-    successful\n                                                                                                  enforcement   to-date C&A      to-date C&A incidents occurred\n                                                                                                                                                    for known\n                                                                                                                                                vulnerabilities for\n                                                                                                                                                which a patch was\n                                                                                                                                                    available?\n\n\n\n                                                                                                                  Number of          Number of            Number of\n                                                                Number of          Number of       Number of       Systems            Systems              Systems\n                                                                Incidents          Incidents       Incidents       Affected           Affected             Affected\n    I. Root Compromise                                                        0                0               0 NA                 NA               NA\n    II. User Compromise                                                       0                0               0\n    III. Denial of Service Attack                                             0                0               0\n    IV. Website Defacement                                                    0                0               0\n    V. Detection of Malicious Logic                                           0                0               0\n    VI. Sucessful Virus/worm Introduction                                     0                0               0\n    VII. Other                                                                0                0               0\n                                                     Totals:                  0                0               0                0                0                    0\n\n\n\nComments: As part of the FISMA audit, OIG was able to obtain root-level control of 28 computers on NTSB networks. These activities were undetected\nbecause NTSB has not established incident monitoring capabilities. NTSB has agreed to implement intrudsion detection capabilities by June 30, 2005.\n\n\n\n\n   Report No. FI-2004-097\n\x0c                                                                                                                                                                Enclosure 1\n\n                                                                                                                                                                        19\n\nSection G: Training\nNOTE: ALL of Section G should be completed by BOTH the Agency CIO and the OIG.\nTo enter data in allowed fields, use password: fisma\n\n   G.1. Has the agency CIO ensured security training and awareness of all employees, including contractors and those employees with significant IT security\n   responsibilities? If appropriate or necessary, include comments in the Comment area provided below.\n                                                                                  G.1.\n     G.1.a.                  G.1.b.                    G.1.c.                    G.1.d.                        G.1.e.                           G.1.f.\n\nTotal number of Employees that received IT Total number of Employees with significant             Briefly describe training provided       Total costs for\n employees in security awareness training employees with security responsibilities that                                                     providing IT\n     FY04        in FY04, as described in   significant IT received specialized training,                                                security training in\n                 NIST Special Publication      security     as described in NIST Special                                                        FY04\n                         800-50            responsibilities Publications 800-50 and 800-                                                      (in $\'s)\n                                                                         16\n\n\n\n                    Number        Percentage                            Number       Percentage\n\n\n\n      430               0             0%                 14                 6             40%\n\n\n                                                                                  G.2.\n                                                                                Yes or No\n   a. Does the agency explain policies regarding peer-to-peer\n   file sharing in IT security awareness training, ethics training,                No\n   or any other agency wide training?\n                                                                      Yes           No\n\nComments: NTSB will provide security awareness training to all employees by December 2004 and specialized training to the employees with significant IT\nsecurity responsibilities by October 31, 2004.\n\n\n\n\nReport No. FI-2004-097\n\x0c                                                                    Enclosur e 2\n                                                                              20\n\n\nEnclosure 2. Scope and Methodology\nTo fulfill the requirements under FISMA, we reviewed the NTSB information\nsecurity program. We also provided input to NTSB\xe2\x80\x99s FISMA report by answering\nquestions specified by OMB.\n\nWe interviewed managers in the Office of Chief Financial Officer, the Office of\nResearch and Engineering, and the Office of Transportation Disaster Assistance to\ngather background information. We reviewed documents on security policies and\nnetwork diagrams and observed operations in the three computer\nlaboratories: the Material Research Laboratory, Vehicle Reorders Research\nLaboratory, and Vehicle Performance Research Laboratory. By using commercial\nscanning software, we performed a limited vulnerability assessment of NTSB\nprivate networks and the firewall server.\n\nWe performed our work between July and September 2004 at NTSB Headquarters\nin Washington, DC. The audit was conducted in accordance with Government\nAuditing Standards prescribed by the Comptroller General of the United States,\nand included such tests as we considered necessary to provide reasonable\nassurance of detecting abuse or illegal acts.\n\n\n\n\nReport No. FI-2004-097\n\x0c                                                                        Enclosur e 3\n                                                                                  21\n\n\nEnclosure 3. Major Contributors to This Report\n\nThe following individuals contributed to this report.\n\n\n   Name                                          Title\n\n   Rebecca C. Leng                               Deputy Assistant Inspector\n                                                  General for Information\n                                                  Technology and Computer\n                                                  Security\n\n   Ping Z. Sun                                   Project Manager\n\n   John M. Johnson                               Senior IT Specialist\n\n\n\n\nReport No. FI-2004-097\n\x0c                                22\n\n\n\nAppendix. Management Comments\n\n\n\n\nReport No. FI-2004-097\n\x0c                         23\n\n\n\n\nReport No. FI-2004-097\n\x0c                         24\n\n\n\n\nReport No. FI-2004-097\n\x0c'